Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Adobe Flash Player 18.0.0.203 still vulnerable

  • 3 odgovori
  • 49 ima ovaj problem
  • 14 views
  • Posljednji odgovor poslao James

more options

Sorry to bring bad news but Flash Player is still vulnerable. On July 10, 2015 a second zero-day has been discovered in the Hacking Team's leaked data. External links: Adobe security advisory APSA15-04: https://helpx.adobe.com/security/products/flash-player/apsa15-04.html Malwarebytes Unpacked blog: https://blog.malwarebytes.org/exploits-2/2015/07/new-hacking-team-flash-player-0day-uncovered/ It appears it was already integrated into exploit kits according to Kafeine from MalwareDontNeedCofee and Malwarebytes.

Sorry to bring bad news but Flash Player is still vulnerable. On July 10, 2015 a second zero-day has been discovered in the Hacking Team's leaked data. External links: Adobe security advisory APSA15-04: https://helpx.adobe.com/security/products/flash-player/apsa15-04.html Malwarebytes Unpacked blog: https://blog.malwarebytes.org/exploits-2/2015/07/new-hacking-team-flash-player-0day-uncovered/ It appears it was already integrated into exploit kits according to Kafeine from MalwareDontNeedCofee and Malwarebytes.

Izabrano rješenje

Thank you for the update.

If there's no update available from Adobe that fixes this issue, it's unlikely that the current version of the Flash plugin would be blocked (the Java Deployment Toolkit seems to be a rare exception).

For one's own purposes, limiting use of Flash to trusted sources and "necessary" media is a good idea. You can do that using the click-to-play feature as follows:

Open the Add-ons page using either:

  • Ctrl+Shift+a
  • "3-bar" menu button (or Tools menu) > Add-ons

In the left column, click Plugins. Look for "Shockwave Flash" and change "Always Activate" to "Ask to Activate".

When you visit a site that wants to use the Flash, you should see a notification icon in the address bar and one of the following: a link in a black rectangle in the page or an infobar sliding down between the toolbar area and the page.

If you do not see an immediate need to run Flash, you can simply ignore the notification.

Unfortunately, because Flash can be embedded from other sites, this is not a complete solution. Even if you trust SiteA, if it is compromised with media from SiteB, the embedded media will play.

You can make the click-to-play feature more granular, rather than trusting all media on a site-by-site basis, using an extension. For example: https://addons.mozilla.org/firefox/addon/click-to-play-per-element/


I notice you linked to an article about Malwarebytes Anti-Exploit, which has a free version that should help protected against this exploit. Have you tried it? Does it affect browser performance much?

https://www.malwarebytes.org/antiexploit/

Pročitajte ovaj odgovor sa objašnjenjem 👍 2

All Replies (3)

more options

Odabrano rješenje

Thank you for the update.

If there's no update available from Adobe that fixes this issue, it's unlikely that the current version of the Flash plugin would be blocked (the Java Deployment Toolkit seems to be a rare exception).

For one's own purposes, limiting use of Flash to trusted sources and "necessary" media is a good idea. You can do that using the click-to-play feature as follows:

Open the Add-ons page using either:

  • Ctrl+Shift+a
  • "3-bar" menu button (or Tools menu) > Add-ons

In the left column, click Plugins. Look for "Shockwave Flash" and change "Always Activate" to "Ask to Activate".

When you visit a site that wants to use the Flash, you should see a notification icon in the address bar and one of the following: a link in a black rectangle in the page or an infobar sliding down between the toolbar area and the page.

If you do not see an immediate need to run Flash, you can simply ignore the notification.

Unfortunately, because Flash can be embedded from other sites, this is not a complete solution. Even if you trust SiteA, if it is compromised with media from SiteB, the embedded media will play.

You can make the click-to-play feature more granular, rather than trusting all media on a site-by-site basis, using an extension. For example: https://addons.mozilla.org/firefox/addon/click-to-play-per-element/


I notice you linked to an article about Malwarebytes Anti-Exploit, which has a free version that should help protected against this exploit. Have you tried it? Does it affect browser performance much?

https://www.malwarebytes.org/antiexploit/

more options

Thank you for prompt response. I was mostly looking for an advised statement rather than real help considering that this is already the 2nd Adobe Flash zero-days season in this year. I always have flash set to click to play. I use NoScript which supersedes Click to play per element. Yes, I am running Malwarebytes Anti-Exploit and it only has noticeable impact on boot.

Izmjenjeno od strane pal100x

more options

It has been mentioned in https://support.mozilla.org/en-US/forums/plug-check-page-discussions/711386#post-65949

Pretty much every version of Flash that has been with critical vulnerability since December has been blocked https://addons.mozilla.org/firefox/blocked/ . So the current plugin based versions for Windows, Mac OSX and Linux will likely be blocked once Adobe has updates on Adobe site like at https://www.adobe.com/products/flashplayer/distribution3.html